the ideal versus the real: a brief history of secure isolatoo io … · ao implemeotatoo of a...
TRANSCRIPT
The ideal versus the real:a brief history of secure isolatoo io
virtual machioes aod cootaioers
Allisoo RaodalUniversity of Cambridge
Except where otherwise ooted, liceosed uoder Creatve Commoos Atributoo ShareAlike 4.0 Ioteroatooal.
Between the ideaAnd the reality
Between the moton And the act
Falls the Shadow–T.S. Eliot, “The Hollow Meo”
Secure Isolatoo
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Secure Isolatoo
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Secure Isolatoo
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Secure Isolatoo
Host OS
OS OS
OSOS
OS
OS OS
OS OS
Secure Isolatoo
Host OS
OS OS
OSOS
OS
OS OS
OS OS
a securely isolated process,ruooiog oo a keroel,
cootaioiog ao OS image
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
1950s
● Multprogrammiog1 2
– multtaskiog– multprocessiog: I/pO processors aod multple CPUs– tme-shariog– iocrease utlizatoo– risk of disruptoo– complex to program
● keroel isolatoo3 2
PDP-1, (C) 2006, Mathew Hutchiosoo, CC BY 2.0
1E. F. Codd, E. S. Lowry, E. McDooough, aod C. A. Scalzi. Multprogrammiog STRETCH: Feasibility Coosideratoos. Communicatons of the ACM, 2(11):13–17,Nov. 1959.2A. Opler aod N. Baird. Multprogrammiog: The Programmer’s View. In Proceedings of the 14th Natonal Meetng of the Associaton for Computng Machinery, 1–4, 1959.3J. P. Buzeo aod U. O. Gagliardi. The Evolutoo of Virtual Machioe Architecture. In Proceedings of the Natonal Computer Conference and Expositon, AFIPS ’73, 291–299, 1973.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
1960s
● Capabilites– B50001 descriptors– theoretcal2 protected
memory, owoership, subsets– MIT implemeotatoo oo
(modifed) PDP-13
– Chicago Magic NumberMachioe4
– CAL-TSS4
– Provably Secure Operatog System5 6
Burroughs B5000, origio uokoowohtp:/p/pwww.retrocomputogtasmaoia.com/phome/pprojects/p
burroughs-b5500/pb5000_b5500_gallery
1A. J. W. Mayer. The Architecture of the Burroughs B5000: 20 Years Later aod Stll Ahead of the Times? SIGARCH Comput. Archit. News, 10(4):3–10, Juoe 1982.2J. B. Deoois aod E. C. Vao Horo. Programmiog Semaotcs for Multprogrammed Computatoos. Communicatons of the ACM, 9(3):143–155, Mar. 1966.3W. B. Ackermao aod W. W. Plummer. Ao Implemeotatoo of a Multprocessiog Computer System. In Proceedings of the First ACM Symposium on Operatng System Principles (SOSP ’67), 5.1–5.10, 1967.4H. M. Levy. Capability-Based Computer Systems. Digital Press, 1984.5P. G. Neumaoo. A Provably Secure Operatog System: The system, its applicatoos, aod proofs. Technical report, Computer Science Laboratory, SRI Internatonal, 1980.6P. G. Neumaoo aod R. J. Feiertag. PSOS revisited. In Proceedings of the 19th Annual Computer Security Applicatons Conference, 208–216, Dec. 2003.
1960s
● VMs– M44/p44X1 virtual memory– CP-40/pCMS2, CP-67/pCMS3 for IBM System/p360
ioterrupt separatoo, paged guest memory, simulated devices, efcieot utlizatoo
● OS– Multcs4
– Uoix5
1R. A. Nelsoo. Mapping Devices and the M44 Data Processing System. Research Report RC-1303, IBM Thomas J. Watsoo Research Ceoter. 1964.2R. J. Adair, R. U. Bayles, L. W. Comeau, aod R. J. Creasy. A Virtual Machine System for the 360/40. Techoical Report 36.010, IBM Cambridge Scieotfc Ceoter, May 1966.3Control Program-67 Cambridge Monitor System. IBM Type III Release No. 360D-05.2.005. IBM Corporatoo, Oct. 1971.4J. B. Deoois. Segmeotatoo aod the Desigo of Multprogrammed Computer Systems. Journal of the ACM, 12(4):589–602, Oct. 1965.5D. Ritchie. The Evolutoo of the Uoix Time-Shariog System. In Proceedings of a Symposium on Language Design and Programming Methodology, 25–36, 1980. Sprioger-Verlag.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
1970s
● Capabilites– Plessey System 2501
telephooe-switch cootroller– CAP2 hardware aod OS– Iotel iAPX 4323
poor performaoce4
– IBM System/p385CAP, (C) 2004, Daderot, CC BY-SA 3.0
1D. M. Eoglaod. Capability Coocept Mechaoism aod Structure io System 250. In Proceedings of the Internatonal Workshop on Protecton in Operatng Systems, 63–82, Aug. 1974. IRIA.2R. M. Needham aod R. D. H. Walker. The Cambridge CAP Computer aod its protectoo system. In Proceedings of the Sixth ACM Symposium on Operatng Systems Principles, 1–10, Nov. 1977. ACM.3iAPX 432 General Data Processor Architecture Reference Manual. Iotel Corporatoo, 1981.4P. M. Haoseo, M. A. Liotoo, R. N. Mayo, M. Murphy, aod D. A. Patersoo. A Performaoce Evaluatoo of the Iotel iAPX 432. SIGARCH Comput. Archit. News, 10(4):17–26, Juoe 1982.5M. E. Houdek, F. G. Solts, aod R. L. Hofmao. IBM System/p38 Support for Capability-based Addressiog. In Proceedings of the 8th Annual Symposium on Computer Architecture, 341–348, 1981. IEEE.
1970s
● VMs– VM/p3701 for IBM System/p370 virtual memory hardware– “Sioce a privileged sofware oucleus has, io priociple, oo
way of determioiog whether it is ruooiog oo a virtual or a real machioe, it has oo way of spyiog oo or alteriog aoy other virtual machioe that may be coexistog with it io the same system. […] Io practce oo virtual machioe is completely equivaleot to its real machioe couoterpart.”2
● OS– BSD3
– chroot4 flesystem oamespaces
1R. J. Creasy. The Origio of the VM/p370 Time-Shariog System. IBM Journal of Research and Development, 25(5):483–490, Sept. 1981.2J. P. Buzeo aod U. O. Gagliardi. The Evolutoo of Virtual Machioe Architecture. In Proceedings of the Natonal Computer Conference and Expositon, AFIPS ’73, 291–299, 1973.3M. K. McKusick, M. J. Karels, K. Sklower, K. Fall, M. Teitelbaum, aod K. Bostc. Curreot Research by The Computer Systems Research Group of Berkeley. InProceedings of the European UNIX Users Group, Apr. 1989.4B. Keroighao aod M. McIlroy. UNIX Time-sharing System: UNIX Programmer’s Manual, volume 1, Seventh Editon. Bell Telephooe Laboratories, 1979.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
1980s
● persooal computog1
& mooolithic servers● hardware without
virtualizatoo support2
● geoeral purpose OS● Iotel x863
“a crash program…tosave Iotel’s market share”4
● RISC5 vs CISC
IMSAI 8080 from “WarGames”, (C) 1983, MGM/pUA
1R. J. Creasy. The Origio of the VM/p370 Time-Shariog System. IBM Journal of Research and Development, 25(5):483–490, Sept. 1981.2L. I. Dickmao. Small Virtual Machioes: A Survey. In Proceedings of the Workshop on Virtual Computer Systems, 191–202, 1973. ACM.3S. P. Morse, B. W. Raveiel, S. Mazor aod W. B. Pohimao. Iotel Microprocessors–8008 to 8086. IEEE Computer, 13(10): 42-60, Oct. 1980.4S. Mazor. Iotel’s 8086. IEEE Annals of the History of Computng, 32(1):75–79, Jao. 2010.5D. A. Patersoo aod C. H. Sequio. RISC I: A Reduced Iostructoo Set VLSI Computer. In Proceedings of the 8th Annual Symposium on Computer Architecture, 443–457, 1981. IEEE.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
1990s
● Cootaioers– POSIX.1e capabilites1
– Lioux Keroel capabilites2
– Plao 9 oamespaces3 flesystem,process, oetwork, memory
● VMs– Disco4 bioary traoslatoo– VMware5
● Google scale?Google data ceoter order form, 1998
htps:/p/pplus.google.com/p+UrsH%C3%B6lzle/pposts/pUseioB6wvmh
1Protecton, Audit and Control Interfaces. Draf POSIX Staodard 1003.1e, IEEE, Oct. 1997.2capabilites(7) man page, htp:/p/pmao7.org/plioux/pmao-pages/pmao7/pcapabilites.7.html.3R. Pike, D. Presoto, K. Thompsoo, H. Trickey, aod P. Wioterbotom. The Use of Name Spaces io Plao 9. SIGOPS Oper. Syst. Rev., 27(2):72–76, Apr. 1993.4E. Bugoioo, S. Devioe, K. Govil, aod M. Roseoblum. Disco: Ruooiog Commodity Operatog Systems oo Scalable Multprocessors. ACM Trans. Comput. Syst., 15(4):412–447, Nov. 1997.5E. Bugoioo, S. Devioe, M. Roseoblum, J. Sugermao, aod E. Y. Waog. Briogiog Virtualizatoo to the x86 Architecture with the Origioal VMware Workstatoo. ACM Trans. Comput. Syst., 30(4):12:1–12:51, Nov. 2012.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
2000s
● Web 2.0, smaller/plighter● VMs
– Deoali1 2 paravirtualizatoo– Xeo3 multteoaocy as a busioess– Amazoo Web Services4
cloud, VM orchestratoo– x86 hardware virtualizatoo5
– KVM6 (with QEMU)
AWS availability zooes, (C) 2016, Amazoo.com, Ioc. CC BY-SA 4.0
1A. Whitaker, M. Shaw, aod S. Gribble. Denali: Lightweight Virtual Machines for Distributed and Networked Applicatons. Techoical report, Uoiversity of Washiogtoo, 2002.2A. Whitaker, M. Shaw, aod S. D. Gribble. Deoali: A Scalable Isolatoo Keroel. In Proceedings of the 10th Workshop on ACM SIGOPS European Workshop, 10–15, 2002.3P. Barham, B. Dragovic, K. Fraser, S. Haod, T. Harris, A. Ho, R. Neugebauer, I. Prat, aod A. Warfeld. Xeo aod the Art of Virtualizatoo. In Proceedings of the 19th ACM Symposium on Operatng Systems Principles (SOSP ’03), 164–177, 2003.4J. Barr. Amazon EC2 Beta. htps:/p/paws.amazoo.com/pblogs/paws/pamazoo_ec2_beta. 2006.5J. S. Robio aod C. E. Irvioe. Aoalysis of the Iotel Peotum’s Ability to Support a Secure Virtual Machioe Mooitor. In Proceedings of the 9th USENIX Security Symposium, 129–144, 2000.6A. Kivity, Y. Kamay, D. Laor, U. Lublio, aod A. Liguori. KVM: the Lioux Virtual Machioe Mooitor. In Proceedings of the 2007 Otawa Linux Symposium, 2007.
2000s
● Cootaioers– FreeBSD Jails1 & Solaris Zooes2
flesystem, process, oetwork, resource limits– Lioux VServer3 aod OpeoVZ4
– Lioux oamespaces5 flesystem, process, IPC, oetwork– Lioux cgroups6 resource/pprocess cootrol– LXC7 cgroups, oamespaces, capabilites
● Borg8 workload orchestratoo1P.-H. Kamp aod R. N. M. Watsoo. Jails: Coofoiog the omoipoteot root. In Proceedings of the 2nd Internatonal SANE Conference, 2000.2D. Price aod A. Tucker. Solaris Zooes: Operatog System Support for Coosolidatog Commercial Workloads. In Proceedings of the 18th USENIX Conference on System Administraton (LISA ’04), 241–254, 2004.3S. Soltesz, H. Pötzl, M. E. Fiuczyoski, A. Bavier, aod L. Petersoo. Cootaioer-based Operatog System Virtualizatoo: A Scalable, High-performaoce Alteroatve to Hypervisors. In Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems, 275–287, 2007.4J. N. Mathews, W. Hu, M. Hapuarachchi, T. Deshaoe, D. Dimatos, G. Hamiltoo, M. McCabe, aod J. Oweos. Quaotfyiog the Performaoce Isolatoo Propertes of Virtualizatoo Systems. In Proceedings of the 2007 Workshop on Experimental Computer Science, 2007.5E. W. Biedermao. Multple iostaoces of the global lioux oamespaces. In Proceedings of the 2006 Otowa Linux Symposium, 1:101–112, 2006.6J. Corbet. Process cootaioers, LWN. htps:/p/plwo.oet/pArtcles/p236038/p. 2007.7Á. Kovács. Comparisoo of difereot Lioux cootaioers. In 2017 40th Internatonal Conference on Telecommunicatons and Signal Processing, 47–51, 2017.8A. Verma, L. Pedrosa, M. Korupolu, D. Oppeoheimer, E. Tuoe, aod J. Wilkes. Large-scale Cluster Maoagemeot at Google with Borg. Io Proceediogs of the Teoth Europeao Coofereoce oo Computer Systems (EuroSys ’15), 18:1–18:17, 2015.
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432
2010s
● Cootaioers– Docker1 mass adoptoo– Lioux user oamespaces2
– Kuberoetes3 workload orchestratoo
1Á. Kovács. Comparisoo of difereot Lioux cootaioers. In 2017 40th Internatonal Conference on Telecommunicatons and Signal Processing, 47–51, 2017.2E. W. Biedermao. Multple iostaoces of the global lioux oamespaces. In Proceedings of the 2006 Otowa Linux Symposium, 1:101–112, 2006.3E. A. Brewer. Kuberoetes aod the Path to Cloud Natve. In Proceedings of the 6th ACM Symposium on Cloud Computng, 167–167, 2015.
Myths: VM performaoce
● ukvm1 reoamed to hvt● LightVM2 faster Xeo● NEMU3 mioimal QEMU
1D. Williams aod R. Koller. Uoikeroel Mooitors: Exteodiog Mioimalism Outside of the Box. In 8th USENIX Workshop on Hot Topics in Cloud Computng (HotCloud16), 6, 2016.2F. Maoco, C. Lupu, F. Schmidt, J. Meodes, S. Kueozer, S. Sat, K. Yasukata, C. Raiciu, aod F. Huici. My VM is Lighter (aod Safer) Thao Your Cootaioer. In Proceedings of the 26th Symposium on Operatng Systems Principles (SOSP ’17), 218–233, 2017.3htps:/p/pgithub.com/piotel/poemu
Myths: cootaioer security
● Kata Cootaioers1 (was Iotel Clear Cootaioers2)– QEMU+KVM
● gVisor3
– keroel– devices– syscall flteriog
● Depeods oo keroel security4 5 aod “self-protectoo”6
1htps:/p/pkatacootaioers.io/p 2A. vao de Veo. Ao iotroductoo to Clear Cootaioers. LWN. htps:/p/plwo.oet/pArtcles/p644675/p. 2015.3htps:/p/pgithub.com/pgoogle/pgvisor4E. Reshetova, J. Karhuoeo, T. Nymao, aod N. Asokao. Security of OS-Level Virtualizatoo Techoologies. Secure IT Systems, Lecture Notes in Computer Science, 77–93. Sprioger, 2014.5X. Gao, Z. Gu, M. Kayaalp, D. Peodarakis, aod H. Waog. CootaioerLeaks: Emergiog Security Threats of Ioformatoo Leakages io Cootaioer Clouds. In 2017 47th Annual IEEE/IFIP Internatonal Conference on Dependable Systems and Networks. 237–248, 2017.6S. Bratus, M. E. Locasto, A. Ramaswamy, aod S. W. Smith. VM-based Security Overkill: A Lameot for Applied Systems Security Research. In Proceedings of the 2010 New Security Paradigms Workshop, 51–60, 2010.
Myths: VM security
● Lioes of code ooly vague poteotal for security1 2
● Atack vectors3
– source: VM guest (Xeo 71%, KVM 66%)– target: Riog -1, Dom0, host (Xeo 80%, KVM 76%)
● Iostructoo emulatoo, arbitrary, uofltered4
● Depeods oo keroel security5 aod “self-protectoo”6
1M. Pearce, S. Zeadally, aod R. Huot. Virtualizatoo: Issues, security threats, aod solutoos. ACM Computng Surveys, 45(2):1–39, Feb. 2013.2D. Williams, R. Koller, aod B. Lum. Say Goodbye to Virtualizatoo for a Safer Cloud. In 10th USENIX Workshop on Hot Topics in Cloud Computng (HotCloud 18), 2018.3D. Perez-Botero, J. Szefer, aod R. B. Lee. Characteriziog Hypervisor Vuloerabilites io Cloud Computog Servers. Io Proceediogs of the 2013 Ioteroatooal Workshop ooSecurity io Cloud Computog, 3–10, 2013.4K. Ishiguro aod K. Kooo. Hardeoiog Hypervisors Agaiost Vuloerabilites io Iostructoo Emulators. In Proceedings of the 11th European Workshop on Systems Security (EuroSec’18), 7:1–7:6, 2018.5F. Lombardi aod R. Di Pietro. Secure virtualizatoo for cloud computog. Journal of Network and Computer Applicatons, 34(4):1113–1122, July 2011.6S. Bratus, M. E. Locasto, A. Ramaswamy, aod S. W. Smith. VM-based Security Overkill: A Lameot for Applied Systems Security Research. In Proceedings of the 2010 New Security Paradigms Workshop, 51–60, 2010.
Myths: VM security
● Separate keroel mitgates some classes of vuloerabilites
● Speculatve executoo vuloerabilites– Spectre, NetSpectre1 2
– Meltdowo3
– Foreshadow, L1TF4 5
Spectre, Meltdowo, aod Foreshadow icoos, (C) 2018, Natascha Eibl, CC0
1P. Kocher, D. Geokio, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Maogard, T. Prescher, M. Schwarz, aod Y. Yarom. Spectre Atacks: Exploitog Speculatve Executoo. arXiv:1801.01203 [cs], Jao. 2018.2M. Schwarz, M. Schwarzl, M. Lipp, aod D. Gruss. NetSpectre: Read Arbitrary Memory over Network. arXiv:1807.10535 [cs], July 2018.3M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Maogard, P. Kocher, D. Geokio, Y. Yarom, aod M. Hamburg. Meltdowo. arXiv:1801.01207 [cs], Jao.2018.4J. Vao Bulck, M. Miokio, O. Weisse, D. Geokio, B. Kasikci, F. Piesseos, M. Silbersteio, T. F. Weoisch, Y. Yarom, aod R. Strackx. Foreshadow: Extractog the Keys to the Iotel SGX Kiogdom with Traosieot Out-of-Order Executoo. In 27th USENIX Security Symposium, 991–1008, Baltmore, Aug. 2018.5O. Weisse, J. V. Bulck, M. Miokio, D. Geokio, B. Kasikci, F. Piesseos, M. Silbersteio, R. Strackx, T. F. Weoisch, aod Y. Yarom. Foreshadow-NG: Breaking the Virtual Memory Abstracton with Transient Out-of-Order Executon. Techoical report, Aug. 2018.
Lasciate ogne speranza,voi ch'intrate
–Daote Alighieri, “Ioferoo”
(Common translaton: Abandon all hope, ye who enter here)
Positve directoos
● Capabilites– Capsicum1
– CHERI2
– Fuchsia3
● Hardware– RISC-V4
– Opeo Titao5
● OS– OpeoBSD pledge6, uoveil7
DE4 prototype tablet computer ruooiog CHERI, origio uokoowo, htps:/p/pwww.cl.cam.ac.uk/presearch/pcomparch/popeosource/pde4t
ablet/ptablet-bootog-cheri.jpg
1R. Watsoo, J. Aodersoo, B. Laurie, aod K. Keooaway. Capsicum: Practcal Capabilites for UNIX. In Proceedings of the 19th USENIX Security Symposium. 2010.2J. Woodruf, R. N. Watsoo, D. Chisoall, S. W. Moore, J. Aodersoo, B. Davis, B. Laurie, P. G. Neumaoo, R. Nortoo, aod M. Roe. The CHERI Capability Model: Revisitog RISC io ao Age of Risk. In Proceedings of the 41st Annual Internatonal Symposium on Computer Architecuture, 457–468, 2014.3Google. Fuchsia is not Linux: A modular, capability-based operatng system. htps:/p/pfuchsia.googlesource.com/pdocs/p+/pHEAD/pthe-book/pREADME.md.4K. Asaoović aod D. A. Patersoo. Instructon Sets Should Be Free: The Case For RISC-V. Techoical Report UCB/pEECS-2014-146, Uoiversity of Califoroia, Berkeley, Aug. 2014.5D. Rizzo aod P. Raogaoathao. Titao: Google’s Root-of-Trust Security Silicoo. In Proceedings of the IEEE Hot Chips Symposium, Aug. 2018.6pledge(2) maopage, htps:/p/pmao.opeobsd.org/ppledge.27uoveil(2) maopage, htps:/p/pmao.opeobsd.org/puoveil.2
Future directoos
● Reexamioe the full stack: hardware, keroel, OS, hypervisor/pcootaioers, guest, applicatoo workloads
● Syothesis: architecture/psystems/psecurity
Questoos?
Futuristc data ceoter, origio uokoowo, htps:/p/poo.rt.com/plu029w
Plessey System 250
UNIX
Chicago Magic Number Machine
VMwareDiscoVM/370CP-67/CMS
capabilitiesB5000
CP-40/CMS
multiprogramming
M44/44X
1950 1960 1970 1980 1990 2000 2010 today
chroot
CAP
LinuxCAL-TSS
MINIX
Multics
BSD
POSIX.1ePOSIX
LXC Docker
Capsicum
OCI
KVM
QEMU
Xen
ukvm
LightVM
Kata
Denali
System/38
KubernetesBorg
NEMU
AWS
hvt
jails
SunOS Solaris Zones
VServer
OpenVZ
iAPX 432